- 论坛徽章:
- 0
|
网上找到的大多数RouterOS脚本集合,以备有需要的时候来找下。
..........................................................
.............................
多条动态ADSL接入控制脚本---脚本的风采
脚本如下:
:local assign-address
:local new-address
:local status
:local x
:set x 2
:for i from=1 to=$x do={
:set status [/interface get [/interface find name=("pppoe-out" . $i)] running]
:if ($status=true) do={
:set new-address [/ip address get [/ip address find dynamic=yes interface=("pppoe-out" . $i)] address]
:set new-address [:pick $new-address 0 ([:len $new-address] -3)]
:set assign-address [/ip address get [/ip address find dynamic=no interface=("pppoe-out" . $i)] address]
:set assign-address [:pick $assign-address 0 ([:len $assign-address] -3)]
:if ($assign-address != $new-address) do={ \
/ip address set [/ip address find comment=$i] address=$new-address network=$new-address broadcast=$new-address
/ip route set [/ip route find comment=$i] gateway=$new-address
}
}
}
----------------------------------------------
2.9系列ADSL端口影射回流脚本及新的问题--- 脚本的风采
:log info "Add-Nat: Sending Dynamic NAT update Begin"
:global ddns-interface [ /interface find type=pppoe-out ]
:global ddns-ip [ /ip address get [/ip address find interface=$ddns-interface] address ]
/ip firewall nat add chain=dstnat dst-address=$ddns-ip protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.10.251 to-ports=80 comment="WEB"
/ip firewall nat add chain=dstnat dst-address=$ddns-ip protocol=tcp dst-port=25 action=dst-nat to-addresses=192.168.10.251 to-ports=25 comment="SMTP"
/ip firewall nat add chain=dstnat dst-address=$ddns-ip protocol=tcp dst-port=21 action=dst-nat to-addresses=192.168.10.251 to-ports=21 comment="FTP"
:log info "Add-Nat: Sending Dynamic NAT update End Sucess!!!"
上面是自动把ADSL PPPOE的IP地址映射到192.168.10.251这台电脑上 后面是端口 地址和端口可以随便改然后
在SYSTEM SCRIPT下建立一个脚本名字add-nat
:log info "remove when ip is down"
/ip firewall nat remove WEB
/ip firewall nat remove SMTP
/ip firewall nat remove FTP
:log info "remove sucessful!!!"
在SYSTEM SCRIPT下建立一个脚本名字remove-nat
然后再TOOLS下的NETWATCH下建立一个监视网关的脚本UP
add-nat DOWN: remove-nat 就OK了 这样就可以象固定IP一样了
------------------------------------------------
快速建立PPPoe服务器脚本---脚本的风采
1、先要对ROS进行复位(以后你想再入什么再加了)
2、将脚本通过FTP复制进ROS
3、在ROS端输入im pppoe.rsc
这样就成功建立了你的ppoe服务器了
注:要先对脚本进行修改喔!以下是脚的样本
/ip address
add address=10.0.0.223/24 interface=ether1
#加入外网的IP:10.0.0.223地址在ether1的网卡上
/ip pool
add name=mypool ranges=192.168.0.2-192.168.0.254
#增加PPPoe服务的地址池
/ppp profile
add name="myserver" local-address=192.168.0.1 remote-address=mypool use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=default rate-limit=512k/2048k comment=""
#增加PPPoe服务地址192.168.0.1,并设置上/下行的速度512k/2048k,要多个组就自己复制后,自己改了。
/ppp secret
add name=abc password=111 service=pppoe profile=myserver
#增加PPPoe用户的用户名aaa和密码111,所属的服务组为myserver,要多个用户就自己复制后,自己改了。
/ interface pppoe-server server
add service-name="mypppoe" interface=ether2 max-mtu=1480 max-mru=1480 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 \
one-session-per-host=no max-sessions=0 default-profile=myserver \
disabled=no
#建立PPPoe服务
/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment="" disabled=no
#进行NAT地址转换,网卡是ether1
/ ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.222 scope=255 target-scope=10 \
comment="added by setup" disabled=no
#设置网关10.0.0.222
-----------------------------------------------
按天数自动停号的脚本2.8版--脚本的风采
建立用户类型
/ppp profile
add name="normaluser" only-one=yes tx-bit-rate=100000 rx-bit-rate=600000
add name="freeuser" only-one=yes tx-bit-rate=100000 rx-bit-rate=600000
停号的脚本ROS2.8版
:local bz
#只停normaluesr普通用户
:foreach i in=[/ppp secret find profile=normaluser] do={
#已经disable的用户不进行减天数,再减就负数了
:if(![/ppp secret get $i disable]) do={
#取账号里的备注,备注记的就是剩下的天数
:set bz [/ppp secret get $i comment]
#将天数减1,减号两一定要留喔。否则不能运算,ROS脚本就是这么严格
:set bz ($bz - 1)
#再将天数写回备注
/ppp secret set $i comment=$bz
#如果备注的天数小于等于0就disbale停号
:if($bzscript里面,run一下就OK了,可以实现对在线机器的MAC与IP的绑定。
--------------------------------------------------------
RouterOS经典脚本
2008-10-18 22:14
一:限速脚本
:for wbsz from 1 to 254 do={/queue simple add name=(wbsz . $wbsz) dst-address=(192.168.0. . $wbsz) limit-at=1024K/1024K max-limit=1024K/1024K}
二:限制每台机最大线程数
:for wbsz from 1 to 254 do={/ip firewall filter add chain=forward src-address=(192.168.0. . $wbsz) protocol=tcp connection-limit=50,32 action=drop}
三:端口映射
ip firewall nat add chain=dstnat dst-address=(202.96.134.134) protocol=tcp dst-port=80 to-addresses=(192.168.0.1) to-ports=80 action=dst-nat
四:封端口号
本部分设定了隐藏,您已回复过了,以下是隐藏的内容
/ ip firewall filter
ad ch forward pr tcp dst-po 8000 act drop comment="Blockade QQ"
五:更变telnet服务端口
/ip service set telnet port=23
六:更变SSH管理服务端口
/ip service set ssh port=22
七:更变www服务端口号
/ip service set www port=80
八:更变FTP服务端口号
/ip service set ftp port=21
九:增加本ROS管理用户
/user add name=wbsz password=admin group=full
十:删除限速脚本
:for wbsz from 1 to 254 do={/queue simple remove (wbsz . $wbsz) }
十一:封IP脚步本
/ ip firewall filter
add chain=forward dst-address=58.60.13.38/32 action=drop comment="Blockade QQ"
十二:禁P2P脚本
/ ip firewall filter
add chain=forward src-address=192.168.0.0/24 p2p=all-p2p action=drop comment="No P2P"
十三:限制每台机最大的TCP线程数(线程数=60)
/ ip firewall filter
add chain=forward protocol=tcp connection-limit=60,32 action=drop \
disabled=no
十四:一次性绑定所有在线机器MAC
:foreach wbsz in=[/ip arp find dynamic=yes ] do=[/ip arp add copy-from=$wbsz]
十五:解除所以绑定的MAC
:foreach wbsz in [/ip arp find] do={/ip arp remove $wbsz}
十六:禁Ping
/ ip firewall filter
add chain=output protocol=icmp action=drop comment="No Ping"
十七:禁电驴
/ ip firewall filter
add chain=forward protocol=tcp dst-port=4661-4662 action=drop comment="No Emule"
add chain=forward protocol=tcp dst-port=4242 action=drop
add chain=forward dst-address=62.241.53.15 action=drop
十八:禁PPLIVE
/ ip firewall filter
add chain=forward protocol=tcp dst-port=8008 action=drop comment="No PPlive TV"
add chain=forward protocol=udp dst-port=4004 action=drop
add chain=forward dst-address=218.108.237.11 action=drop
十九:禁QQ直播
/ ip firewall filter
add chain=forward protocol=udp dst-port=13000-14000 action=drop comment="No QQLive"
二十:禁比特精灵
/ ip firewall filter
add chain=forward protocol=tcp dst-port=16881 action=drop comment="No BitSpirit"
二十一:禁QQ聊天(没事不要用)
/ ip firewall filter
add chain=forward src-address=10.5.6.7/32 action=accept comment="No Tencent QQ"
ad ch forward pr tcp dst-po 8000 act drop
ad ch forward pr udp dst-po 8000 act drop
ad ch forward pr udp dst-po 8000 act drop
add chain=forward dst-address=61.144.238.0/24 action=drop
add chain=forward dst-address=61.152.100.0/24 action=drop
add chain=forward dst-address=61.141.194.0/24 action=drop
add chain=forward dst-address=202.96.170.163/32 action=drop
add chain=forward dst-address=202.104.129.0/24 action=drop
add chain=forward dst-address=202.104.193.20/32 action=drop
add chain=forward dst-address=202.104.193.11/32 action=drop
add chain=forward dst-address=202.104.193.12/32 action=drop
add chain=forward dst-address=218.17.209.23/32 action=drop
add chain=forward dst-address=218.18.95.153/32 action=drop
add chain=forward dst-address=218.18.95.165/32 action=drop
add chain=forward dst-address=218.18.95.220/32 action=drop
add chain=forward dst-address=218.85.138.70/32 action=drop
add chain=forward dst-address=219.133.38.0/24 action=drop
add chain=forward dst-address=219.133.49.0/24 action=drop
add chain=forward dst-address=220.133.40.0/24 action=drop
add chain=forward content=sz.tencent action=reject
add chain=forward content=sz2.tencent action=reject
add chain=forward content=sz3.tencent action=reject
add chain=forward content=sz4.tencent action=reject
add chain=forward content=sz5.tencent action=reject
add chain=forward content=sz6.tencent action=reject
add chain=forward content=sz7.tencent action=reject
add chain=forward content=sz8.tencent action=rejec
add chain=forward content=sz9.tencent action=rejec
add chain=forward content=tcpconn.tencent action=reject
add chain=forward content=tcpconn2.tencent action=reject
add chain=forward content=tcpconn3.tencent action=reject
add chain=forward content=tcpconn4.tencent action=reject
add chain=forward content=tcpconn5.tencent action=reject
add chain=forward content=tcpconn6.tencent action=reject
add chain=forward content=tcpconn7.tencent action=reject
add chain=forward content=tcpconn8.tencent action=reject
add chain=forward content=qq action=reject
add chain=forward content=www.qq action=reject
二十二:防止灰鸽子入浸
/ ip firewall filter
add chain=forward protocol=tcp dst-port=1999 action=drop comment="Backdoor.GrayBird.ad"
add chain=forward dst-address=80.190.240.125 action=drop
add chain=forward dst-address=203.209.245.168 action=drop
add chain=forward dst-address=210.192.122.106 action=drop
add chain=forward dst-address=218.30.88.43 action=drop
add chain=forward dst-address=219.238.233.110 action=drop
add chain=forward dst-address=222.186.8.88 action=drop
add chain=forward dst-address=124.42.125.37 action=drop
add chain=forward dst-address=210.192.122.107 action=drop
add chain=forward dst-address=61.147.118.198 action=drop
add chain=forward dst-address=219.238.233.11 action=drop
二十三:防三波
/ ip firewall filter
add chain=forward protocol=tcp dst-port=135-139 action=drop comment="No 3B"
以上脚本使用说明:
用winbox.exe 登陆 找到 System -- Script - 点击+ 将对应脚本复制其中后,点击 Run Script即脚本安装成功!
----------------------------------------------------------
RouterOS官方防火墙脚本
2008-11-09 16:42
port=1719 action=accept comment="allow \
Telephony" disabled=yes
add chain=services protocol=vrrp action=accept comment="allow VRRP " \
disabled=yes
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Gaobot" disabled=no
add chain=forward connection-state=established action=accept comment="accept \
established packets" disabled=no
add chain=forward connection-state=related action=accept comment="accept \
related packets" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid \
packets" disabled=no
add chain=forward src-address-type=!unicast action=drop comment="drop all that \
is not from unicast" disabled=no
add chain=forward in-interface=internet src-address-list=not_in_internet \
action=drop comment="drop data from bogon IP's" disabled=no
add chain=forward in-interface=!internet dst-address-list=not_in_internet \
action=drop comment="drop data to bogon IP's" disabled=no
add chain=forward protocol=icmp action=jump jump-target=ICMP comment="jump to \
chain ICMP" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to virus chain" \
disabled=no
add chain=forward action=accept comment="Accept everything else" disabled=no
add chain=output connection-state=invalid action=drop comment="drop invalid \
packets" disabled=no
add chain=output connection-state=related action=accept comment="accept \
related packets" disabled=no
add chain=output connection-state=established action=accept comment="accept \
established packets" disabled=no
add chain=output action=drop comment="Drop all connections from this router" \
disabled=no
/ ip firewall address-list
add list=not_in_internet address=0.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=172.16.0.0/12 comment="" disabled=no
add list=not_in_internet address=192.168.0.0/16 comment="" disabled=no
add list=not_in_internet address=10.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=169.254.0.0/16 comment="" disabled=no
add list=not_in_internet address=127.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=224.0.0.0/3 comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set mms disabled=no
set gre disabled=yes
set pptp disabled=yes
----------------------------------------------------------
routeros的一些常用脚本
2008-06-16 10:26
删除所有连接
/ ip firewall connection {:foreach r in=[find] do={remove $r}}
disable防火墙规则
:foreach i in=[/ip firewall filter find action=drop ] do=[/ip firewall filter disable $i]
减轻syn攻击
firewall --> connection --> tracking syn sendtime 设置成50 rectime 设置成30
# RouterOS 2.96
# 这是神仙试写的一个对192.168.0.0这个网段的
# 每个IP加一个simple queue的脚本
# 网关100就不限制了
# 注意:扩展名应改为.rsc
:foreach i in [/queue simple find] \
do {:put (deleting . ... . [/queue simple get $i name]);
/queue simple remove $i;}
:for i from 1 to 254 \
do { \
:if ($i!=100) \
do {/queue simple add \
name=(queue . $i) \
limit-at=128000/128000 \
burst-threshold=384000/192000 \
max-limit=512000/256000 \
burst-limit=2000000/512000 \
burst-time=16s/8s \
dst-address=(192.168.0. . $i); \
:put (192.168.0. . $i . ... . added)} \
}
定时重起
/system scheduler add interval=24h start-time=11:59:00 on-event={/system reboot}
改变默认网关
/ip route set [/ip route find dst-address=0.0.0.0/0] gateway=xxx.xxx.xxx.xxx
Simple Queues 限速
:for myip from 2 to 254 do={/queue simple add name=("第" . $myip . "号机") target-address=("192.168.0." . $myip . "/32") max-limit=512000/6000000 burst-limit=128000/7000000 burst-threshold=128000/2000000 burst-time=30/30 }
删除所有Simple Queues
/queue simple remove [find]
ARP批量绑定(静态ARP)
:foreach i in=[/ip arp find dynamic=yes ] do={/ip arp add copy-from=$i}
这样绑定好后要把外网IP的ARP和MAC地址的绑定取消。否则可能会导致网络掉线。注意下!
..............................................
RouterOS 动态限BT脚本
:global rx
:global tx
:global dl
:global dm
:global ul
:global um
:foreach i in [/interface find name=ether3] do={/interface monitor-traffic $i once do={
:set rx $received-bits-per-second
:set tx $sent-bits-per-second
:foreach d in [/queue tree find name=p2p-download] do={
:set dl [/queue tree get $d max-limit]}
:foreach u in [/queue tree find name=p2p-upload] do={
:set ul [/queue tree get $u max-limit]}
:if ($dl1000000) do={
:if ($rx>71303168) do={
:set dm ($dl+(-1000000))
:set dl ($dl+(-2000000)); /queue tree set p2p-download limit-at=$dl max-limit=$dm}}
:if ($ul1000000) do={
:if ($tx>71303168) do={
:set um ($ul+(-1000000))
:set ul ($ul+(-2000000)); /queue tree set p2p-upload limit-at=$ul max-limit=$um}}}}
-----------------------------------------------------------------------
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/39746/showart_1740588.html |
|
免费注册
发表于 2008-12-25 07:01
